Site Search Navigation

Site Navigation

Site Mobile Navigation

How Credit Card Data Is Stolen and Sold

By Nick Bilton May 3, 2011 3:30 pmMay 3, 2011 3:30 pm

Bobby Yip/ReutersStolen credit card numbers can sell for up to $10 each in online underground markets.

Last week, after the Sony PlayStation Network was attacked by a group of unknown hackers, Sony’s 77 million customers, along with security specialists and government officials, were surprised by the amount of information that might have been stolen from the company.

But there was another group that worried about the attack: other hackers who steal credit card numbers and personal identity online and then sell and trade this information in underground markets.

“We’re keeping a close eye on the Sony story as it would drastically affect the resale of other cards,” explained an experienced hacker based in Europe who declined to share his name due to the nature of his work.

Kevin Stevens, senior threat researcher at the computer security firm Trend Micro, explained in an interview last week that there was a lot of discussion taking place in hacker forums about the Sony data breach. Several credit card dealers are worried that the distribution of millions of credit cards would flood the market and lower prices, he said.

According to a number of security researchers, the sale of stolen information and credit cards often takes place completely underground in secret credit forums, where hackers exchange or sell data. These forums are closed to the public, and people who join the groups are vetted by forum administrators to ensure they are not from law enforcement.

Posts on the forums usually list the type of information for sale, including names and addresses associated with the cards, and a price that can be negotiated. Once someone agrees to buy the information, the transaction takes place out of the forum in a secret chat room, usually using a private and secure I.C.Q. room.

Mr. Stevens said stolen credit cards usually sold for about $5 to $10 online, yet the prices vary based on the amount of information supplied with the card data and the account limit.

Hackers who claim they are responsible for the Sony breach wrote on underground forums last week that they had access to over 2.2 million credit cards. If these millions of new stolen cards were sold online, the price could fall to well below the standard rate to as low as $1 or $2 each.

To make matters worse, Sony said Monday that another server had been affected by the breach last week and as many as 12,700 credit and debit cards could have been stolen during the attack.

Mathew Solnik, a security consultant with iSEC Partners, said he doesn’t see any signs of a slowdown with the sale of credit card data or personal information online. “As more companies keep databases of people’s personal data, including credit cards, there is more incentive for hackers to gain access to their servers and make a lot of money reselling this sensitive information.”

So what can be done to stop the resale of personal information?

Kevin Mahaffey, the chief technology officer at Lookout Mobile Security, said companies needed to stop collecting so much personal information. “Data has a new lever of value in society,” he said in an interview. “We now have robust economies that have grown around personal information and credit cards.”

“One of the best things companies can do is not collect the data in the first place,” explained Mr. Mahaffey. “Some companies now consider this type of data nuclear waste; you don’t want to store if you don’t have to.”